...
Noncompliant Code Example
Here is another example. Weathernews Touch A weather report for Android sent a user's location data to the log output as follows:
I/MySoraPieceMyWeatherReport( 6483): Re-use MySoraPiece MyWeatherReport data
I/ ( 6483): GET JSON:
...
http://
...
example.
...
com/smart/repo_piece.cgi?arc=0&lat=26.209026&lon=127.650803&rad=50&dir=-999&lim=52&category=1000
If a user is using Android OS 4.0 or before, other applications with READ_LOGS permission can obtain the user's location information without declaring ACCESS_FINE_LOCATION permission in the manifest file.
...
Proof of Concept
Example code of obtaining log output correctly from a vulnerable application is as follows:
| Code Block | ||||
|---|---|---|---|---|
| ||||
final StringBuilder slog = new StringBuilder();
try {
Process mLogcatProc;
mLogcatProc = Runtime.getRuntime().exec(new String[]
{"logcat", "-d", "LoginAsyncTask:I APIClient:I method:V *:S" });
BufferedReader reader = new BufferedReader(new InputStreamReader(
mLogcatProc.getInputStream()));
String line;
String separator = System.getProperty("line.separator");
while ((line = reader.readLine()) != null) {
slog.append(line);
slog.append(separator);
}
Toast.makeText(this, "Obtained log information", Toast.LENGTH_SHORT).show();
} catch (IOException e) {
// handle error
}
TextView tView = (TextView) findViewById(R.id.logView);
tView.setText(slog);
|
...
This rule is a special case of IDS03FIO13-J. Do not log unsanitized user inputsensitive information outside a trust boundary.
Risk Assessment
Logging sensitive information can leak sensitive information to malicious apps.
...
Android Secure Coding Guidebook by JSSEC | 4.8 Output log to LogCat |
Bibliography
4.8 Output log to LogCat |